Server system, security improving method of server and computer program of the same

ABSTRACT

A server system is provided in which it is possible to avoid an improper operation or malicious operation on, for example, a power switch of a server. In such a system, both a management server and multiple servers are connected to a network. Each multiple server includes: an authentication key storing portion which stores an authentication key; and a management module which compares between data inputted by operating the operation switches and the authentication key stored in the authentication key storing portion, wherein the management module sets the operation switches available if the input data and the authentication key are the same. The management module includes a function of writing the authentication key received from the management server into the authentication key storing portion. The management server includes a virtualized environment software which transmits the authentication key to each of the multiple servers via the network.

Priority is claimed on Japanese Patent Application No. 2009-067720,filed on Mar. 19, 2009, the content of which is incorporated herein byreference.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to a facility or building including manyservers, for example, a datacenter. In particular, the present inventionrelates to a server system, a security improving method of a server anda computer program of such a system and method that can avoid improperoperations, for example, a malicious (deliberate) operation or acareless operation on a power button, a reset button, and the like, by aperson who is not appropriately authorized, and that can avoid, forexample, an improper operation on a power button, a reset button, andthe like, by a person who is appropriately authorized.

2. Description of Related Art

As is well known, each of many servers installed in, for example, adatacenter has a power button and a reset button on a front surface, andit is possible to turn off or reset the server by operating such buttonsregardless of operation status of the server. However, if an operator ofthe server carelessly turns off or resets the server, such an operationcauses a great amount of damage to clients using the server.

Therefore, in a datacenter or such a facility, a solution in which alocking operation is conducted on each of racks is used to avoidoperations on the server by a person who is not authorized. However, inmany cases, a locking operation is not conducted on each server mountedon such a rack, and it is not possible to avoid an improper operation inwhich a power button of the server is turned off by mistake when therack is opened.

Regarding such a problem, various solutions are proposed in which, forexample, a physical lock is provided with regard to each server, andauthentication by using IC cards with regard to each server. However, ifsuch solutions are applied to the servers, troublesome managementoperations are necessary with regard to all of many servers, and thereis a demerit of increasing cost because new hardware should bephysically provided. In addition, for example, in a case in which anadministrator of a physical server and an administrator of a userenvironment is different, and in a case in which many logical serversare integrally managed by using a virtualized environment, it isdifficult for a user to recognize a physical server on which anapplication software is executed, and there is a problem in which it isnot possible to sufficiently conduct a management of physical keys.

Further, a portion of products provides an apparatus in which it ispossible to select a mode that prohibits a function of a power button inadvance. However, in such an apparatus, when the OS (operating system)does not respond to any commands or requests, there is a problem inwhich there is no solution other than pulling a power cable to forciblydisconnect the server.

As described above, when a virtualized environment is widely spread, forexample, in a datacenter in which many servers are generally installed,it is not a practically acceptable solution to protect a power source ofa server by using a lock or IC card. There may be a solution ofcombining a electric key which can be remote-controlled and software.However, in order to avoid a cost of providing such an electric key, itis desirable if it is possible to avoid an improper operation ormalicious operation without using a special and physical solution.

SUMMARY OF THE INVENTION

The present invention was conceived in accordance with such abackground. The object of the present invention is to provide a serversystem, a security improving method and a computer program of such asystem and method in which it is possible to turn off or reset theserver without conducting improper operations even in an urgent case inwhich a server administrator cannot support, in which it is possible toavoid an operation on a power source of the server by a malicious thirdperson, and in which it is possible to avoid an improper operation ormalicious operation without using a special and physical solution.

There are prior art documents that relate to the above-describedtechnical field, for example, Japanese Unexamined Patent Applications,First Publication No. 2006-172186 and No. 2007-299427.

A solution of the above-described object is a server system including:at least one server connected to a network; and a management serverconnected to the network, wherein said management server includes atransmitting portion which transmits an authentication key to the servervia the network, and said server includes: an authentication key storingportion which stores the authentication key; a writing portion whichwrites the authentication key received from the management server viathe network in the authentication key storing portion; and a settingportion which, when data is inputted in accordance with operations on atleast one operation switch, compares between the input data and theauthentication key stored in the authentication key storing portion, andwhich conducts a first setting operation that sets the operation switchavailable when the input data and the authentication key are the same.

Another solution is a security improving method of a server system whichincludes at least one server connected to a network and a managementserver connected to the network, including steps of: transmitting anauthentication key from the management server to the server via thenetwork; writing the authentication key received from the managementserver in an authentication key storing portion of the server;generating input data which is inputted in accordance with operations onat least one operation switch; comparing between the input data and theauthentication key stored in the authentication key storing portion; andconducting a first setting operation that sets the operation switchavailable when the input data and the authentication key are the same.

Another solution is a computer program of at least one server of aserver system which includes the server connected to a network and amanagement server connected to the network, including executableinstructions for: writing the authentication key received from themanagement server in an authentication key storing portion of theserver; generating input data which is inputted in accordance withoperations on at least one operation switch; comparing between the inputdata and the authentication key stored in the authentication key storingportion; and conducting a first setting operation that sets theoperation switch available when the input data and the authenticationkey are the same.

In accordance with the above-described solutions, there is an advantagethat can avoid malicious operations or improper operations on a server.In addition, by notifying only administrators of an authentication keywho recognize a server as a specific logical server, it is possible toavoid an improper operation of turning off the server by a personbecause the person recognizes the server as a usual and physical server.In addition, the above-described solutions can be introduced at a lowcost because it is not necessary to newly provide devices or gadgets,for example, a lock and a card reader.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram showing a constitution of a server system ofone embodiment.

FIG. 2 is a flowchart that describes operations of the server system.

FIG. 3 is a flowchart that describes operations of the server system.

FIG. 4 is a drawing that explains an operation example of a power switchshown in FIG. 1.

DETAILED DESCRIPTION OF THE INVENTION

Hereinafter, in reference to drawings, an embodiment is explained.

In this embodiment, an authentication key specific to each logicalserver is transmitted from a management software of a virtualizedenvironment to each physical server. Hereinafter, details are explained.

FIG. 1 is a drawing showing an outline constitution of a server systemof one embodiment. It should be noted that, in a practical computersystem, many servers are installed, and many clients are connected tothe servers via a network. However, the drawings show only one server,and clients are omitted.

In FIG. 1, a reference numeral “1” is a management server (transmissionmeans) which includes a virtualized environment management software 1 aand which is connected to a network 2. A reference numeral “3” is aserver which includes firmware 5 in a similar manner as generally usedservers, and which has a power switch 6 and reset switch 7. In addition,as a characteristic constitution of this embodiment, the server 3includes both a management module 8 (setting means, writing means) whichmonitors and checks physical operations on the server 3 and anauthentication key storing portion (not shown in the drawings).

The management module 8 receives input signals which are generated, forexample, as a number of operations of pressing down on the power switch6 by an operator, and the management module 8 recognizes the inputsignals as an input of an authentication key. The management module 8includes a means that transits the server to an unlocked mode when theinputted authentication key is recognized as “OK”, a means that storesan authentication key transmitted by an external management server 1 inan authentication key storing portion, and a means that removes theauthentication key stored in the authentication key storing portion. In,for example, a virtualized environment, there is a precondition in whichone physical server is commonly used between a multiple userenvironment, and in such an environment, it is possible to storemultiple authorization keys. Further, if the server 3 is not transitedto an unlocked mode, the server 3 is in a protected mode in whichfunctions of, for example, turning off the power by using the powerswitch 6 and resetting the server by using the reset switch 7, that areinitially provided cannot be available. In addition, the server 3 or themanagement module 8 has a function of transiting the server 3 to theprotected mode when a predetermined time interval has passed aftertransition to the unlocked mode and/or when accepting one command oroperation.

The virtualized environment management software 1 a which is generallyused is executed on the management server 1. The virtualized environmentmanagement software 1 a which is generally used has information that canbe used for identifying the physical server 3 on which a logical serveris operating. Further, the virtualized environment management software 1a conducts a management operation on the physical server 3 to assign alogical server by using generally used methods. In addition, in aconstitution of this embodiment, the environment management software 1 ahas a table for managing the authentication key corresponding to each ofthe logical servers and has a function to refer to the table. Further,the environment management software 1 a has both a function oftransmitting an authentication key when assigning a logical server tothe physical server 3 and a function of requesting for removal of theauthentication key when removing the logical server from the physicalserver 3.

Hereinafter, operations of this embodiment are explained. FIGS. 2 and 3show an operational flow of this embodiment. First, in reference to FIG.2, an operational flow of transmitting and removing the authenticationkey is explained. The virtualized environment management software 1 ahas a function of assigning/transporting/removing a virtualized serverto and from the physical server 3. When a logical server (virtualserver) is assigned to the physical server 3 (Step S1 of FIG. 2), thevirtualized environment management software 1 a reads an authenticationkey corresponding to the virtual server and transmits the authenticationkey to the physical server 3 to which the virtual server is assigned(Step S2). After receiving the authentication key, the physical server 3registers the authentication key of the virtual server to theauthentication key storing portion (Step S3). Further, when thevirtualized environment management software 1 a transports/removes thelogical server which is assigned to the physical server, the virtualizedenvironment management software 1 a conducts a transport/removaloperation of the logical server in accordance with a general method andrequests the physical server 3 for removing the authentication keycorresponding to the logical server from the physical server 3. Afterreceiving such a request, the physical server 3 removes theauthentication key from the authentication key storing portion. Whentransporting the logical server, in the same manner as a newregistration, the virtualized environment management software 1 atransmits the authentication key to another server which is atransportation destination and requests the server for storing theauthentication key.

Hereinafter, in reference to FIGS. 3 and 4, operations of using theauthentication key by the physical server are explained. First, when theauthentication key is stored in the authentication key storing portionof the server 3, the server 3 is in a protected mode, that is, theserver 3 is in a condition in which any operation on the power switch 6or the reset switch 7 is not acceptable. However, if the server 3 is ina condition, for example, in which the authentication key is not storedin the authentication key storing portion because the server 3 is in ainitial state, and in which all authentication keys are removed, theserver 3 is not in the protected mode and can be operated by pressingkeys in the same manner as generally used servers.

When the server 3 is in the protected mode, if an operator who isauthorized turns off the server 3, first, the operator inputs theauthentication key by pressing the power switch 6 (Step S4). Forexample, as shown in FIG. 4, if the authentication key is for example,“3213”, the operator presses down on the power switch 6 three timessuccessively without pause, then after a short pause, presses down onthe power switch 6 two times successively without pause, followed byanother short pause, presses down on the power switch 6 one time, againfollowed by a short pause and finally presses down on the power switch 6three times successively without pause.

When such an operation is conducted, the management module 8 of theserver 3 recognizes that an authentication key which is “3213” isreceived and compares the authentication key stored in theauthentication key storing portion to the received authentication key(Step S5). After this, if these authentication keys are different(authentication NOT_OK), the server 3 waits for an input operation ofthe authentication key again. On the other hand, if these authenticationkeys are the same (authentication OK), the server 3 transits to anon-protected mode (unlocked mode). After this, in the same manner asthe generally used servers, the power switch 6 works as a power switch,the reset switch 7 works as a reset switch, and it is possible toconduct a turn off of the power by operating the power switch 6 (StepS6). Further, when a predetermined time interval has passed aftertransition to the non-protected mode, the server 3 automaticallytransits to the protected mode.

In the above-described embodiment, only the power switch 6 is operatedwhen inputting the authentication key. However, it should be noted thatit is possible to apply a predetermined pattern of operations on boththe power switch 6 and the reset switch 7.

In accordance with the above-described embodiment, a person, forexample, a malicious operator or an administrator of another server whodoes not know the authentication key, cannot operate the power switch 6of the server, and it is possible to avoid malicious operations andimproper operations. Further, if the authentication key is notified toonly administrators who recognize the server as a logical server, it ispossible to avoid improper operations of turning off the server due toan improper recognition in which the server is recognized as a usualphysical server. Further, the above-described embodiment can beintroduced at a low cost because it is not necessary to newly providedevices or gadgets, for example, a lock and a card reader. Further, itis possible to provide an environment that enables turning off or resetof the server even in an urgent case in which a server administratorcannot support while avoiding both human-caused mistakes and malicioustricks by a third person.

The above-described embodiment is mainly applied to a facility orbuilding including many servers, for example, a datacenter.

While preferred embodiments of the present invention have been describedand illustrated above, it should be understood that these are exemplaryof the present invention and are not to be considered as limiting.Additions, omissions, substitutions, and other modifications can be madewithout departing from the spirit or scope of the present invention.Accordingly, the present invention is not to be considered as beinglimited by the foregoing description, and is only limited by the scopeof the appended claims.

1. A server system comprising: at least one server connected to anetwork; and a management server connected to the network, wherein saidmanagement server comprises a transmitting portion which transmits anauthentication key to the server via the network, and said servercomprises: an authentication key storing portion which stores theauthentication key; a writing portion which writes the authenticationkey received from the management server via the network in theauthentication key storing portion; and a setting portion which, whendata is inputted in accordance with operations on at least one operationswitch, compares between the input data and the authentication keystored in the authentication key storing portion, and which conducts afirst setting operation that sets the operation switch available whenthe input data and the authentication key are the same.
 2. A serversystem according to claim 1, wherein said operation switch is a powerswitch or a reset switch.
 3. A server system according to claim 1,wherein said setting portion conducts a second setting operation thatsets the operation switch available if the authentication key is notstored in the authentication key storing portion.
 4. A server systemaccording to claim 1, wherein said setting portion conducts a thirdsetting operation that sets the operation switch unavailable if apredetermined time interval has passed after setting the operationswitch available or if one operation is accepted after setting theoperation switch available.
 5. A security improving method of a serversystem which includes at least one server connected to a network and amanagement server connected to the network, comprising steps of:transmitting an authentication key from the management server to theserver via the network; writing the authentication key received from themanagement server in an authentication key storing portion of theserver; generating input data which is inputted in accordance withoperations on at least one operation switch; comparing between the inputdata and the authentication key stored in the authentication key storingportion; and conducting a first setting operation that sets theoperation switch available when the input data and the authenticationkey are the same.
 6. A security improving method of a server systemaccording to claim 5, wherein said operation switch is a power switch ora reset switch.
 7. A security improving method of a server systemaccording to claim 5, further comprising steps of: conducting a secondsetting operation by the server that sets the operation switch availableif the authentication key is not stored in the authentication keystoring portion.
 8. A security improving method of a server systemaccording to claim 5, further comprising steps of: conducting a thirdsetting operation by the server that sets the operation switchunavailable if a predetermined time interval has passed after settingthe operation switch available or if one operation is accepted aftersetting the operation switch available.
 9. A computer program which isstored on a computer readable medium of at least one server of a serversystem which includes the server connected to a network and a managementserver connected to the network, comprising executable instructions for:writing the authentication key received from the management server in anauthentication key storing portion of the server; generating input datawhich is inputted in accordance with operations on at least oneoperation switch; comparing between the input data and theauthentication key stored in the authentication key storing portion; andconducting a first setting operation that sets the operation switchavailable when the input data and the authentication key are the same.10. A computer program according to claim 9, wherein said operationswitch is a power switch or a reset switch.
 11. A computer programaccording to claim 9, further comprising steps of: conducting a secondsetting operation that sets the operation switch available if theauthentication key is not stored in the authentication key storingportion.
 12. A computer program according to claim 9, further comprisingsteps of: conducting a third setting operation that sets the operationswitch unavailable if a predetermined time interval has passed aftersetting the operation switch available or if one operation is acceptedafter setting the operation switch available.